Single Sign-On Overview

Identity allows connecting customers' users directories as an identity provider (IDP) and can be referred to as the "Identity Federation." When the federation is configured, the Identity delegates authentication and authorization of the end-users to the federated IDP; hence, our customers gain control over what employees can have access to the Ansarada Platform. 

The following diagram demonstrates the simplified authorization flow (login) when identity federation is used (authorization protocol-specific details are omitted for brevity):

The following diagram demonstrates the simplified Ansarada platform invitation flow when identity federation is used (authorization protocol-specific details are omitted for brevity):

Single Sign-On Setup

Step 1

Please send us the following information which will help us to set up your SSO configurations on Ansarada platform. Please include all fields:

Email Domains & SSO URL

Parameter

Value

Description

Email domains

a list email domains

The email domain(s) of users that should authenticated by configured Identity Provider

SSO URL

URL

The URL at the Identity Provider to which SAML authentication requests should be sent. This is often called a Single Sign-on (SSO) URL

Logout URL

URL

The URL at the Identity Provider to which SAML logout requests should be sent. This is often called a logout URL, a global logout URL or single logout URL

Signing certificate

.pem or .cer format

The Identity Provider will digitally sign authentication assertions and the signing certificate is needed by the Service Provider to validate the signature of the signed assertions.

SAML token mapping information

Parameter

Is Required

SAML Value

Description

Name ID

yes

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

Identifier of a user in Identity Provider. At the moment, Ansarada requires email address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) as NameID format

Email

yes

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

User's email address

FirstName

yes

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

User's first name

LastName

yes

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

User's last name

FullName

optional

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name OR

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

User's full name

Step 2

Once your SSO account will be set up on Ansarada side (following the information that you will send us in the previous step), we will provide information about what the Ansarada platform expects to receive as a result of successful authorization (Assertion Consumer Service URL and EntityID).

Parameter

Value

Description

Assertion Consumer Service URL / Application Callback URL

https://auth.au.ansarada.com/login/callback?connection=<sso-connection-id>

The URL where the Identity Provider needs to send the SAML assertions after it has authenticated a user.

Sso-Connection-Id varies per customer. The final value is know after initial setup in Identity

EntityID (Audience)

urn:auth0:ansarada:<sso-connection-id>

The value dentifies the audience (service providers) to whom SAML assertion is issued for.

Sso-Connection-Id varies per customer. The final value is know after initial setup in Identity

Single Logout Service URL

https://auth.au.ansarada.com/logout

The Single Logout Service URL, where SAML logout requests and/or responses from the Identity Provider must be sent.

When configuring the Identity Provider, make sure that SAML Logout Requests sent to the Service Provider are signed.

Step 3

Once Steps 1 to 2 are done, we can schedule a testing session to make sure SSO was configured properly and go live. We suggest you set up a test email domain for testing purposes. For example, @test.awesomecorp.com

Frequently Asked Questions

For any help throughout the process, please reach out to Ansarada support.

Did this answer your question?